First Principles for Network Defenders: A Unified Theory for Security Practitioners

Executive Summary

Great thinkers like Aristotle, Descartes and Elon Musk have said that, in order to solve really hard problems, you have to get back to first principles. First principles in a designated problem space are so fundamental as to be self-evident; so true that no expert in the field can argue against them. They are atomic. Experts use them like building blocks to derive everything else that is worth knowing in the problem domain. In this paper, I propose that “the” first principle for all network defenders is to prevent high risk material impact to the organization.

In our day-to-day activities, if we are spending resources that are not designed to prevent material impact to our organization, we are wasting them. The three essential tasks that support the first principle are: threat prevention, threat detection, and threat eradication. These comprise the network defender’s trinity; they are atomic and cannot be separated. If you do one and not the other, you will fail the first principle. Additionally, in order to accomplish the three essential tasks of the network defender’s trinity, you need to establish your own intelligence function in order to build adversary group dossiers for those potential adversary groups that pose the largest threat in terms of material impact. Once you have developed them, you need to share them with all the network defenders who have the capability to consume them.

Introduction

Elon Musk is a serial entrepreneur. He sold his first company, Zip2, for $307 million and sold his second, which eventually turned into PayPal, for $1.5 billion. His total net worth is ~$10 billion. He is also a revolutionary problem solver who is not afraid to take on big and hairy problems. He ploughed his wealth into three high-risk research and development companies: SpaceX – putting a man on Mars by 2030 ($100 million), Tesla – electric cars and their supporting infrastructure ($70 million), and SolarCity – reusable energy ($10 million). He did all of this when conventional wisdom said that none of these ventures were going to work. So far, conventional wisdom has been completely wrong.

SpaceX is a privately held company, but followers of the company think it is already profitable. The Tesla Company has had some ups and downs since it went public in 2010, but business experts think it is on its way to profitability in late 2016 or early 2017. SolarCity is struggling a bit, but no more than any of its competitors, and it just announced a new solar panel that is 22 percent more efficient than competitor models and produces 30 percent more electricity than other panels of the same size. The new solar panels are indicative of how Mr. Musk tackles these big and hairy problems. You do not get a 22 percent improvement in solar panel efficiency by incrementally taking the next step. For all three investments, Mr. Musk had to re-imagine the problem domain. According to Ashlee Vance, his authorized biographer,

In other words, Elon Musk likes to get back to first principles when he tackles a new and difficult problem domain.

What is a “First Principle”?

I initially encountered the idea of first principles when I read about Alfred Whitehead and Bertrand Russell’s book Principia Mathematica. Before they published this work in three volumes from 1910 to 1913, the mathematics community had discovered that practitioners could use current theory to prove both sides of a mathematical paradox. To eliminate these paradoxical situations, Whitehead and Russell rebuilt the language of mathematics from the ground up using a small set of first principles.

Musk describes his belief that an understanding of first principles is a better way of grappling with a hard problem space than what most of us do by using analogies. In other words, Musk believes that some people try to solve hard problems by looking for solutions to other hard problems that have a similar nature. We do that with the hope that we can find a complementary solution-tactic or solution-procedure that might work for our own problem set. Musk disagrees.

“In every systematic inquiry where there are first principles, or causes, or elements, knowledge and science result from acquiring knowledge of these; for we think we know something just in case we acquire knowledge of the primary causes, the primary first principles, all the way to the elements. It is clear, then, that in the science of nature as elsewhere, we should try first to determine questions about the first principles.”

Two thousand years later, René Descartes said this about first principles in his book, Principles of Philosophy, published in 1644:

“… in order to study the acquisition of [knowledge] (which is properly called philosophizing), we must commence with the investigation of those first causes which are called Principles. Now these principles must possess two conditions: in the first place, they must be so clear and evident that the human mind, when it attentively considers them, cannot doubt of their truth; in the second place, the knowledge of other things must be so dependent on them as that though the principles themselves may indeed be known apart from what depends on them, the latter cannot nevertheless be known apart from the former. It will accordingly be necessary thereafter to endeavor so to deduce from those principles the knowledge of the things that depend on them, as that there may be nothing in the whole series of deductions which is not perfectly manifest.”

In other words, first principles in a designated problem space are so fundamental as to be self-evident; so true that no expert in the field can argue against them. They are atomic. Experts use them like building blocks to derive everything else that is known in the problem domain. All new knowledge in the problem domain is dependent on these first principles. For example, in Principia Mathematica, after 26 pages of “Prefatory Statements,” Whitehead and Russell declare their first principle:

“The Cardinal Number of a class X … is defined as the class of all classes similar to X.”

Moving from Incremental Improvements to a Giant Leap in the Network Defender Problem Space: Identify the Trunk and the Big Limbs

The notion of cybersecurity has been around since we invented computers, but it did not really start to gain traction for the common person until the world began to use the Internet in earnest back in the early ‘90s. When the Internet was young, it was common for average home users to install some form of antivirus products to protect themselves from the dark side. Since then, vendors have invented a plethora of security products designed to protect the home user, business community and government agencies. But there was no real design to this protection. Smart researchers would see a new black hat technique and invent a new system to counter it, or they would observe how one vendor tackled a problem and take the next step to improve it.

Twenty-five years since it all began, what we have today is a hodgepodge of people, technology and processes that is so complex, so expensive and so difficult to manage that black hats regularly find ways to exploit the seams. What we have is a quarter century of incremental improvement steps in the security problem space. What we need is a giant leap in our capability. Similar to how Elon Musk tackles big and hairy problems, what we need to do is start over by identifying the “First Principles for the Network Defender.” What we need to do is identify the trunk and the big limbs of the network defender space.

Prefatory First Principle Statements

As was the case in Whitehead and Russell’s book, we must first establish some basic terms in order to frame our discussion about Network Defender First Principles. For example, networkdefenders are people responsible for preventing high-risk material impact to the organization through an adversary group’s execution of a cyber campaign plan. Adversarygroups are the human teams behind the execution of adversary campaigns even if the team consists of one individual or the adversary group originates from the inside. Adversary groups have motivations like crime, warfare, espionage, terrorism, hacktivism and mischief, and they launch their campaigns by applying their playbooks to one or more victims. Adversary playbooks are the generic recipes that an adversary group develops in order to penetrate a potential victim’s network and accomplish its mission – a step-by-step process that adversary groups use to attack victims.

Said another way, hackers develop generic playbooks that they intend to use against potential victims. Once they decide upon a target or class of targets, they launch a campaign based upon the playbook. Sometimes they have to modify the playbook during the campaign to overcome an obstacle; but, in the general sense, an adversary campaign is the direct application of the adversary playbook against a specific victim or victims. Network defenders are the people who try to prevent the success of the adversary campaign.

An obvious statement of fact is that network defenders cannot possibly address every potential threat to their organizations. There are simply too many. The prudent network defender racks and stacks the threats that may impact the organization on a risk matrix. On the x-axis, we typically place our assessment of how likely it is that an incident will happen from “zero chance” on the left side to “absolutely will happen” on the right. On the y-axis, we place our assessment of the incident in terms of material impact to the organization from “zero material impact” on the bottom to “the organization ceases to exist” at the top. Material impact means that an incident negatively influences the financial statements of a public company or an incident is so catastrophic that it affects the functioning of a private or government organization. Every organization has a different tolerance for what is acceptable material impact. Each network defender must draw the line in the risk matrix for what is a high-risk, material-impact incident and what is not.

One last clarifying note is that identifying the atomic first principles does not imply that they will be simple principles that are easy to execute, let alone think about. Remember that it took Whitehead and Russell over 80 pages of writing to come up with arguably their first simple rule that 1+1 = 2. The network defender problem domain is a complex environment and, just because we identify the first principles, that does not mean they will not be complex. It simply means that we cannot break them down any further and still understand what we are trying to do.

Network Defender First Principles

With these prefatory statements out of the way, it is time to consider what exactly are the network defender’s first principles. Stated another way, with all the things that network defenders do in the course of their day-to-day operations, what is it exactly that we are trying to accomplish? Boiling down every process, every piece of deployed technology, and every person on the InfoSec staff to the essential task, the atomic element that cannot be broken down any further, what would you say that task is? Better yet, what should it be? Even better, what would all network defenders agree that it should be? After all, that is what Descartes said first principles are. The Network Defender’s First Principles should “… be so clear and evident that [all Network Defenders] … cannot doubt of their truth” because later we will “deduce from those principles the knowledge of the things that depend on them.” Or, as Elon Musk might say, we must identify the trunk and the big branches first so that, when we discover the leaves later, we will have something to hang them on. In this analysis, I propose one big trunk, five big limbs, and just over 10 leaves that grow on the network defender problem domain.

The Trunk of the Tree: Prevent High-Risk Material Impact

The essential task for all network defenders, the atomic task that cannot be broken down any further, the giant tree trunk in the network defender’s problem domain must be: the prevention of high-risk material-impact to our respective organizations. It is the driver of all other tasks that network defenders execute to protect the enterprise. If we are doing anything else in our day-to-day operation that is not oriented toward this principle, then we are wasting resources that could be used for it.

What this means is that it is okay to not worry about all of those potential threats that reside at the bottom of your risk matrix because, even if they happen, they will not cause material impact to your organization. It is okay not to worry about all of those potential threats that reside to the left on your risk matrix because the chances that they will happen are so small that it is a safe bet that they will never happen. The fundamental principle that must drive everything that a network defender does is to prevent those attack campaigns that have the highest probability to cause significant damage to the organization. Said more clearly, network defenders must prevent the high-risk material impact to their organization that results from adversary groups executing their campaign plan against our networks.

It is true, however, that not all adversary groups can effect material impact to every organization even if the risk of the attack succeeding is high. For example, if my organization sells widgets from a web page, a cyber-espionage, nation-state adversary group that steals state secrets is not my concern. Even if that adversary group did breach my network, for whatever reason, the odds that the results would materially impact my organization would be minimal. On the other hand, a cyber-crime adversary group that seeks credit card numbers might have a large impact. If a group like that breached my online widget network, it could very well materially impact my organization. Indeed, the loss of customer trust might materially impact the future of the business.

The point is to realize that not all adversary groups can effect material impact to the business and then adjust resources accordingly. In other words, the network defender’s risk assessment should consider all risks through this material impact and high-risk lens, which brings us to our first leaf to hang on our tree:

Focus on the things that matter and do not get distracted by everything else.

Big Limb #1: Threat Prevention

Like network defenders, adversary groups do not have unlimited resources. They specifically do not invent new ways to attack each new target. It is too time-consuming and chews up too many resources. Instead, for each new target, they take out their playbooks and adopt them for the target at hand.

Adversary groups do not invent new playbooks unless they must.

When they launch their campaigns against specific targets, adversary groups leave indicators of compromise behind in their wake. Indicators of compromise are forensic artifacts that describe an adversary’s methodology; digital clues left behind by the adversary group as it works its way through the phases of the attack lifecycle. The attack life cycle is a phased model that describes the tasks an adversary group must accomplish in order to complete its mission: recon for victim weaknesses, deliver the initial attack, compromise victim zero, and install a command and control channel. From here, what adversaries do next depends on their motivation: crime, espionage, hacktivism, terrorism, warfare or mischief. They might spread laterally, compromising as many endpoints as they can for some future task. They might cause damage. They might exfiltrate information.

Over time, threat researchers, security vendors and government intelligence agencies discover new indicators of compromise by observing campaign activity. Because of the adversary group’s propensity to reuse their playbooks against multiple victims, it is possible for the network defender community to know many, if not most, of the indicators of compromise that adversary groups leave behind as they attack their victims. It follows then that:

The network defender community knows most of the indicators of compromise attributed to adversary campaigns on any given day.

Threat prevention is the act of turning known indicators of compromise into one or more deployed prevention controls. Prevention controls are technical safeguards or countermeasures derived from observing adversary group campaign activity that network defenders design and deploy to thwart adversary campaigns at each phase of the attack lifecycle. It is possible to thwart an entire adversary group campaign by deploying the correct prevention control at the precise spot in the attack lifecycle. Moreover:

Deploying as many prevention controls as possible at every stage in the attack lifecycle of a known adversary campaign almost assuredly guarantees that the specific adversary campaign will succeed.

This implies that, in order for network defenders to prevent high-risk material-impact, they most assuredly must have a robust threat prevention program in place. But that does not mean that network defenders can stop all campaign activity. Adversary groups continually improve their craft. They seek new ways to penetrate networks without being discovered. They seek better plays to put into their playbooks. We know that some adversary group will have success with some adversary campaign somewhere. What do network defenders do when that happens to their networks?

Big Limb #2: Threat Detection

If network defenders only use threat prevention to stop high-risk, material-impact attacks, they will likely fail because of two specific cases: 1) adversary groups will deploy new, unknown playbooks that have not been seen by the network defender community before, or 2) the adversary group may be operating in an area of your network where you have failed to adequately deploy your threat prevention program. In both cases, more is needed. Threat detection is the act of hunting for “known” indicators of compromise throughout the enterprise at each phase of the attack lifecycle and investigating “unknown,” anomalous behavior wherever it is found, deciding what the anomalous behavior is and taking the appropriate actions once discovered.

Deploying a hunting team is different from passively deploying prevention controls throughout the defender’s network. Hunting is the act of aggressively seeking adversary campaign activity using known indicators of compromise and rigorously tracking unknown network behavior until it is understood. These actions will help network defenders discover campaign activity that was not properly blocked in the dark corners of their networks, along with new unknown campaign activity. But, if new campaign activity is discovered, that is just half the battle. The next step is to mitigate that newly discovered threat to your organization.

Big Limb #3: Threat Eradication

In the wake of discovering a new, unknown threat, network defenders have to be proficient at eradicating this now-known threat from their network or, at the very least, minimizing the adversary’s group impact now that they have been discovered. Threat eradication is the act of minimizing the effectiveness of newly discovered adversary campaign activity by blocking future activity through the Threat Prevention program, analyzing the purpose of this new campaign, and installing additional countermeasures that will likely thwart the accomplishment of the campaign objectives. It is a two-pronged strategy. First, network defenders turn these previously unknown indicators of compromise into prevention controls for their networks. Second, they seek to understand the adversary group’s objectives to determine if there is anything else that might be done to frustrate the accomplishment of the campaign’s mission.

Big Limb #4: The Network Defender’s Trinity

While similar, all three of these essential tasks – threat prevention, threat detection, and threat eradication – accomplish key and indispensible network defender activities. Individually, each is important but not sufficient to prevent high-risk material impact to the organization. They are inextricably linked, atomic, and irreducible. They are the network defender’s trinity, and the network defender must be proficient at all three.

The trinity programs will not stop all adversary groups immediately. Installed properly, they will provide a framework to block every threat that is known, allow network defenders to discover new threats as they emerge, and provide a mechanism to mitigate any newly discovered adversary campaign activity within their enterprise. In order to establish this trinity system though, information is needed. Indicators of compromise must be collected, sorted, evaluated and prioritized.

Intelligence collection is the act of gathering indicators of compromise from network and endpoint systems throughout the enterprise and discovering any supplemental information from internal and external sources that can add context regarding what the adversary group is about. In order to execute the network defender’s trinity, the network defender must be able to collect intelligence and insert prevention controls, specifically, at each phase of the attack lifecycle. In other words, they seek to maximize visibility and control at those key locations. This means that the network defender will deploy various technologies to facilitate that task.

The downside is that the more technologies network defenders deploy, the more complex the system becomes for them to manage. Complexity is the enemy to any security program. The more complex a system is, the more likely it is that an adversary group will discover a way to bypass it.

Complexity is the enemy of any security program.

It is essential then that network defenders seek a unifying system of systems that automates the correlation of intelligence collection and the deployment of prevention controls as much as possible without needing a human in the loop. They must either consolidate the intelligence and deploy the prevention controls themselves through their own automation efforts or seek security vendors to do this for them.

Network defenders must seek a unifying system of systems that automates the correlation of intelligence collection and the deployment of prevention controls in order to reduce the complexity and cost of their trinity programs.

That said, network defenders live in a resource-restricted environment. The InfoSec budget will likely run dry long before the network defender can implement these fundamental trinity activities within their organizations for every adversary campaign in existence. That is why network defenders must remember the first principle: prevent high-risk, material-impact attack campaigns. Concentrate trinity activates for those adversary campaigns that could cause material impact first. Prioritize network defender activity on the potentially most impactful and work down the list.

By concentrating on preventing material impact to the organization and deploying the network defender’s trinity, network defenders need a way to determine the priority of effort. They need a way to understand adversary campaign intelligence as it applies to their own environments. They need a way to collect indicators of compromise of known adversary campaigns for their threat prevention programs, distribute those same indicators of compromise to their hunting teams for their threat detection programs, and evaluate the missions and potential impact of newly discovered adversary campaigns for their threat eradication programs. What is required is a dedicated threat intelligence team.

Network defenders need a dedicated internal threat intelligence team in order to fully support the Network Defender’s Trinity.

The skillsets of the internal threat intelligence team are different from the skillsets of the traditional security operations center team. A security operations center is the primary location of the staff dedicated to monitoring, detecting, and isolating cybersecurity incidents and the managing all of the security products, network devices, and endpoint systems within the organization. The essential purpose of the intelligence team is to create adversary group dossiers in order to evaluate the group’s potential material impact to the organization.

An adversary group dossier is a collection of attributed indicators of compromise to a specific adversary campaign or generic adversary playbook, plus any additional context about the adversary group. Adversary group context is any supplemental information about the adversary group – motivation and purpose, typical victims, common data stolen, etc. – that will enhance the network defender’s assessment of the adversary group’s potential material impact on the organization. Keep in mind that, to be considered good, intelligence teams only need to be completely accurate about 75 percent of the time. To put that into perspective, this is way better than the hitting percentage of a baseball hall of fame hitter has to be but significantly lower than the percentage of receipts my wife expects me to have when answering travel voucher questions.

On thing to distinguish is the difference between adversary group dossier intelligence and personally identifiable information (PII). This is an important distinction because of the implications that intelligence collection may violate an individual’s right to privacy. This is absolutely not the case. Personally identifiable information (PII) is any information about an individual (including education, financial transactions, medical history, and criminal or employment history), along with information that can be used to distinguish or trace the individual’s identity (including name, address, or telephone number; date and place of birth; mother’s maiden name; Social Security number or other government-issued unique identification number; biometric data; or unique account identifiers). An adversary group dossier does not contain any of this kind of information and, indeed, is not necessary to assess the group’s potential material impact to the organization.

Adversary group dossiers do not and should not contain PII.

As network defenders mature their collections of adversary group dossiers, they should pursue information sharing arrangements with vigor. Cybersecurity intelligence information sharing is the act of sharing adversary group dossiers with any network defender who can consume them. This includes the security vendors you use in your deployed network defender trinity programs; especially threat prevention.

Security vendors are network defenders too; and, if your intelligence team develops robust adversary group dossiers, what precludes you from sharing that information with your security vendors? The answer should be nothing. Your vendors most likely have ways to automatically deploy prevention controls to their deployed products. Since there are no privacy concerns in the form of PII, it behooves all network defenders to keep their partner security vendors abreast of the latest adversary campaign information your internal intelligence team develops.

Security vendors are network defenders too. Share adversary group dossier information and adversary group context with them as much as possible. Deploy their automatic sharing capabilities to reduce complexity.

Developing adversary group dossiers is hard work and time-consuming. Doing that work in a vacuum is inefficient and expensive. Working together across the network defender community to refine adversary group dossiers reduces the effort by individual network defender teams. In other words:

Crowdsourcing the development of adversary group dossier intelligence reduces inefficiency and expense.

It gives the network defender community two large benefits. First, one intelligence team does not have to be the expert on every adversary campaign or playbook in existence. One network defender team can rely on the network defender community to complete their portfolio. They should concentrate on those adversary groups that might cause material impact to their organization; but, when new adversary groups emerge, the intelligence team can begin their analysis with what other intelligence groups already know about the adversary. Second, all intelligence teams can check their adversary group dossiers against what other intelligence teams already know in order to complete the picture and normalize the information.

Information sharing should have no limits either in regards to who shall receive the intelligence. Even if some individual intelligence teams may perceive the receiver as a potential adversary, share the intelligence anyway. Information sharing is about network defense, not about keeping secrets. It does not matter if the adversary knows what the network defender knows. If the network defenders in the security operations center have fully deployed their threat prevention program – converting known indicators of compromise into prevention controls throughout the attack lifecycle in their enterprise – then they will have successfully blocked any existing adversary campaign activity. This, in turn, will cause the adversary to spend resources to create new playbooks on a regular basis. If the information sharing community is robust enough, only the advanced adversaries will be able to stay ahead of the community for any length of time. And with the rest of the network defenders’ trinity in place – threat detection and threat eradication – that window of opportunity will get smaller and smaller over time.

It does not matter if adversary groups know what network defenders have learned about the specifics of their adversary campaigns and playbooks. What matters is the swift execution of the network defender’s trinity.

Further, sharing adversary group dossiers with the public will in no way tarnish the network defender’s brand. Public breach announcements have become so common in the press that most network defenders think it is no longer a question of “if” an adversary group will breach their networks but “when.” Releasing adversary group dossiers to the public also does not imply that the adversary group was successful at accomplishing its mission. It merely provides what the targeted network defender has observed in terms of campaign activity for a specific group. Instead of tarnishing the brand, it will likely enhance the brand’s reputation by showing the world that your organization gives back to the community.

Sharing adversary group dossiers with the security community enhances the network defender’s brand.

Sharing adversary group dossiers with competitors will not affect the security vendor’s bottom line either. In the past, security vendors did not participate in information sharing programs with an eye toward helping the community per se. For the most part, they considered intelligence gathered through their services as proprietary. If security vendors provided the intelligence to their customers or to the public at large, they did it with an eye toward generating revenue. They either made their customers pay for it or used it as marketing collateral to show the world their areas of expertise. But that was, and still is, shortsighted.

Good intelligence is actionable. It is not about the intelligence you collect. It is about how you use the intelligence once you get it.

By sharing intelligence with everybody – friends, peers and, yes, competitors – intelligence becomes a commodity. Everybody will have the same intelligence. All security vendors will use that knowledge to build better security products that actually help with the network defender’s trinity. Network defenders should not solely buy security products based on how good the intelligence provided by the vendor is. Instead, they should look at how security vendors use intelligence to prevent the success of adversary campaigns.

Sharing adversary group dossiers with peers, competitors and other network defenders in no way relinquishes a competitive advantage in the marketplace.

Information sharing frames the classic intelligence dilemma. The intelligence dilemma is the dichotomy between the network defender’s desire to prevent adversary campaign activity and the intelligence community’s desire to keep the adversary in a box – to simply observe and monitor the activity so that they can keep an eye on it. On the one hand, network defenders desire to establish as many reciprocal information sharing arrangements as possible in order to enhance their network defender’s trinity programs. On the other, a niche of intelligence analysts – typically law enforcement and the worldwide government intelligence community – desire to share adversary campaign intelligence only with a select few in order not to tip off the adversary as to what the community knows about them. This causes the intelligence community to classify adversary campaign indicators of compromise and adversary group context in such a way that the average network defender does not have access to the information.

The intelligence community is cognizant and concerned that the effort they spent on discovering how the adversary operates will be worthless once the adversary realizes their playbook has been discovered and moves on to the next playbook. This is probably true, but it also ignores the fact that, because these intelligence analysts only allow a small handful of elite network defenders to see this classified campaign intelligence anyway, the rest of us are left wide open to these very attacks.

Network defenders are motivated differently from the intelligence community. Network defenders want to prevent material impact to their organizations. The intelligence community, by and large, wants to influence friends and enemies in order to support political objectives or put criminals in jail. Some in the intelligence community also have a prevention mission to support critical infrastructure within their respective countries; but because of the way they classify intelligence, this is subservient to the other missions. The prevention mission is almost always the last priority. Both sides of the dilemma are important and worthy causes. But it is also not true that the network defender’s mission is less important. This is why the situation is called the intelligence dilemma.

The network defender’s mission to prevent material impact is no less important than the intelligence community’s missions.

In a resource-restrained environment, enhancing the security operations center with an intelligence function allows the InfoSec team to focus on the network defender’s first principles. Instead of trying to stop all threats coming into the network with equal weight and effort, the intelligence team gives the security operations center the ability to prioritize their efforts. By establishing reciprocal information sharing agreements with as many like-minded organizations as possible, including potential adversary groups and security vendors, the intelligence group can compile a rich set of adversary group dossiers that will enhance their internal network defender trinity programs.

Conclusion

After some 25 years of incremental improvements to the cybersecurity landscape, the situation does not seem to be getting any better. Read the news on any given day and it appears that adversary groups demonstrate success after success regardless of the great innovations we have seen in prevention and intelligence tools available in the marketplace and developed in-house by advanced security organizations. As Elon Musk might say, in order to take a giant leap and get ahead of the adversary, it is time to get back to the basics; to identify the first principles that all network defenders should understand; to find the trunk and the big branches that must be in place first before we add on the leaves. As Aristotle and Descartes might have said, we need to understand the atomic elements of the problem domain; those concepts that experts cannot break down any further so that we can layer, like building blocks, the innovative solutions that will make our efforts more successful, more efficient, and more cost effective.

In this paper, I proposed that the first principle for all network defenders is to prevent material impact to the organization. In our day-to-day activities, if we are spending resources that are not designed to prevent material impact to our organization, we are wasting them. The three essential tasks that support the first principle are: threat prevention, threat detection, and threat eradication. These are the network defender’s trinity; they are atomic and cannot be separated. If you do one and not the other, you will fail the first principle. Finally, in order to accomplish the three essential tasks of the network trinity, you need to establish your own intelligence function in order to build adversary group dossiers for those potential adversary groups that pose the largest threat in terms of material impact. Once you have developed them, you need to share them with all the network defenders who have the capability to consume them. These are the network defender’s first principles; the building blocks that we all can use to protect our organizations.

Definitions

acceptable material impact: On the spectrum of potential material impact to an enterprise that ranges from low risk on one side to the organization ceases to exist on the other, the section of the spectrum that the network defender considers so low in terms of risk that the cost of preventing it far outweighs the impact to the organization.

attack lifecycle: A phased model that describes the tasks an adversary group must accomplish in order to accomplish the adversary campaign’s ultimate goal.

adversary campaign plan: A collection of indicators of compromise for each phase in the attack lifecycle attributed to a specific adversary group by an intelligence team; the application of an adversary group’s playbook to a specific victim.

adversary group: The human team behind the execution of adversary campaigns even if the team consists of one individual and even if the adversary group originates from the inside.

adversary group context: Any supplemental information about the adversary group – motivation and purpose, typical victims, common data stolen, etc. – that will enhance the network defender’s assessment of the adversary group’s potential material impact to the organization.

adversary group dossier: A collection of attributed indicators of compromise to a specific adversary campaign or generic adversary playbook, plus any additional context about the adversary group.

adversary information sharing: The practice of sharing adversary dossier intelligence with other organizations that can consume and use it.

adversary playbook: The generic recipe that an adversary group develops in order to penetrate a potential victim’s network and accomplish the adversary group’s mission; a step-by-step process that adversary groups use to attack victims.

attribution: The practice of ascribing indicators of compromise and context to a specific adversary or adversary group.

best practices: A collection of methods and techniques that have proven successful over time.

blocking known threats: The process of deploying security controls that disrupt an adversary’s campaign plan.

cybercrime: Adversary campaign conducted by criminals with the intent to acquire wealth through illegal means.

cyber espionage: Adversary campaigns conducted by industrial or state-sponsored spies in order to steal actionable intelligence that will give their organization a competitive edge.

cyber hacktivism: Adversary campaigns conducted by activists in order to highlight or influence political or social change; normally intended to embarrass or shame or expose the organization or individual the hacktivist judges as responsible.

cyber mischief: Adversary campaigns conducted by hackers in order to test their tools or to satisfy their curiosity about what they might be able to accomplish.

cybersecurity intelligence information sharing: The act of sharing adversary group dossiers with any network defender that can consume them.

cyber terrorism: Adversary campaigns conducted by terrorists in order to highlight or influence political or social change; normally intended to shock the world and cause fear of death or injury or change in the establishment way of life.

cyberwar: Adversary campaigns conducted by one or more nation-states using cyber weapons to destroy each other’s national treasure to achieve some political purpose.

detecting unknown threats: The process of identifying new indicators of compromise used by adversary groups when they execute their adversary campaign plans.

disrupting unknown threats: The process of developing and deploying new security controls for previously unknown threats.

first principles: Principles in a designated problem space that are so fundamental as to be self-evident; so true that no expert in the field can argue against them. These so-called experts use them like building blocks to create everything that is known in the problem domain. All new knowledge in the problem domain is dependent on these first principles.

indicators of compromise: Forensic artifacts that describe an adversary’s methodology; digital clues left behind by the adversary group as they work their way through the attack lifecycle.

intelligence collection: The act of gathering indicators of compromise from network and endpoint systems throughout the enterprise and discovering any supplemental information that can add context regarding what the adversary group is about.

intelligence dilemma: The dichotomy between the network defender’s desire to stop adversary campaign activity and the intelligence community’s desire to simply observe it.

material impact: In cyber terms, an incident important enough to influence the financial statements of a commercial company or so catastrophic that it affects the functioning of a private or government organization.

network defenders: The people responsible for preventing unacceptable material impact to the organization through an adversary group’s execution of a cyber campaign plan.

Network Defender’s Trinity: The concept that an organization’s security program must incorporate three equal parts of threat prevention, threat detection, and threat mitigation; that sacrificing one over the others weakens the organization’s security posture.

personally identifiable information (PII): any information about an individual (including education, financial transactions, medical history, and criminal or employment history), along with information that can be used to distinguish or trace the individual’s identity (including name, address, or telephone number; date and place of birth; mother’s maiden name; Social Security number or other government-issued unique identification number; biometric data; or unique account identifiers).

prevention controls: Technical safeguards or countermeasures, derived from observing adversary group campaign activity, that network defenders design and deploy to thwart adversary campaigns at each phase of the attack lifecycle.

security controls: The deployed mitigation processes, both electronic and physical, that will disruptadversary groups as they execute their adversary campaign plan.

security operations center: the primary location of the staff dedicated to monitoring, detecting, and isolating cybersecurity incidents and the management of all security products, network devices and endpoint systems.

threat detection: the act of hunting for known indicators of compromise throughout the enterprise at each phase of the attack lifecycle and investigating unknown anomalous behavior wherever it is found.

threat eradication: the act of minimizing the effectiveness of newly discovered adversary campaign activity – new indicators of compromise – by blocking future activity through the Threat Prevention program, analyzing the purpose of the campaign and installing additional countermeasures that will likely thwart the accomplishment of the campaign objectives.

threat prevention: The act of turning known indicators of compromise into one or more prevention controls at each phase of the attack life ycle that network defenders deploy throughout their enterprise.

unacceptable material impact: On the spectrum of potential material impact to an enterprise that ranges from low risk on one side to the organization ceases to exist on the other, the section of the spectrum that the network defender considers anathema and must be prevented at all costs.